← Back to context

Comment by UltraSane

4 months ago

Passkeys are asymmetric keys so a hacked site cannot leak the hash or even the plaintext of a passkey. And the private key is never exported to insecure hardware. Funny how so many Linux gurus have been shitting on using passwords for SSH for decades in favor of using SSH keys and now that there is an actually effort to use what are essentially SSH keys tied to a specific domain they are rejecting it.

7 comments

UltraSane

Reply
tempestn  4 months ago

Sorry, I'm still not clear what the advantage is, compared to storing unique passwords in 1pw. If a site is hacked, the only thing at risk is my data on that specific site, which would be the case either way. I definitely understand how they would be easier and more secure for people who don't use a pw manager, but that's not my question.

  • packtreefly  4 months ago

    There are some obvious, significant benefits I can think of off the top of my head:

    - Passkeys give the website no secret to keep.

    Breach of the passkey public key is not an event worthy of credential rotation.

    - Passkey authentication is submitted via a rigorously-defined mechanism intended for machine-to-machine communication.

    Ever had your password manager try to fill the wrong field with your login credentials? Passkeys cannot make that mistake. There's no heuristic mechanism at play trying to figure out where to insert the passkey.

    - Passkeys are immune to credential theft via MITM

    Sure the MITM could hijack the session, but not the credential. (I know this one is a stretch, but you asked for anything)

  • UltraSane  4 months ago

    They aren't that much more secure than a random 256 bit unique password for every site stored in a secure password manager. They are designed to raise the security for the average user, not the most security conscious.

    https://www.computest.nl/en/knowledge-platform/blog/advantag...

    • tekknik  4 months ago

      This is a weird take. The passkey can be up to 1400 bits in length which makes it significantly more difficult to brute force than a 256 bit password. Not to mention some sites won’t even let you type in a password that long, and then ofc rainbow tables.

      Passkeys are significantly more secure for everybody.

      2 replies →